Daily Ruleset Update Summary 2022/04/27

Daily Ruleset Update Summary

[***] Summary: [***]

28 new OPEN, 30 new PRO (28 + 2). TA410, TraderTraitor,
Android/Spy.Banker.AZQ, Others.

Thanks @travisbgreen, @CISAgov, @souiten, @ESETresearch

Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2036383 - ET MALWARE Common RAT Connectivity Check Observed
(malware.rules)
2036384 - ET MALWARE TA410 APT FlowCloud Dependency Download M1
(malware.rules)
2036385 - ET MALWARE TA410 APT FlowCloud Dependency Download M2
(malware.rules)
2036387 - ET MALWARE TA410 APT FlowCloud Dependency Download M4
(malware.rules)
2036388 - ET MALWARE Possible TA410 APT FlowCloud Dependency Download
(malware.rules)
2036389 - ET INFO Commonly Abused SSL/TLS Certificate Observed
(mylnavyfederal .com) (info.rules)
2036390 - ET MALWARE DPRK APT Related Maldoc Activity (POST)
(malware.rules)
2036391 - ET MALWARE TA410 APT FlowCloud Hardcoded Request (POST)
(malware.rules)
2036392 - ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) Signed JWT
Bypass (CVE-2022-21449) (exploit.rules)
2036393 - ET HUNTING Suspicious SSL Certificate detected (Observed in US
Government Bid Credential Phish) (hunting.rules)
2036394 - ET MALWARE TraderTraitor CnC Domain (alticgo .com) in DNS
Lookup (malware.rules)
2036395 - ET MALWARE TraderTraitor CnC Domain (cryptais .com) in DNS
Lookup (malware.rules)
2036396 - ET MALWARE TraderTraitor CnC Domain (tokenais .com) in DNS
Lookup (malware.rules)
2036397 - ET MALWARE TraderTraitor CnC Domain (aideck .net) in DNS Lookup
(malware.rules)
2036398 - ET MALWARE TraderTraitor CnC Domain (www .esilet .com) in DNS
Lookup (malware.rules)
2036399 - ET MALWARE TraderTraitor CnC Domain (creaideck .com) in DNS
Lookup (malware.rules)
2036400 - ET MALWARE TraderTraitor CnC Domain (dafom .dev) in DNS Lookup
(malware.rules)
2036401 - ET MALWARE Observed TraderTraitor Domain (alticgo .com) in TLS
SNI (malware.rules)
2036402 - ET MALWARE Observed TraderTraitor Domain (cryptais .com) in TLS
SNI (malware.rules)
2036403 - ET MALWARE Observed TraderTraitor Domain (tokenais .com) in TLS
SNI (malware.rules)
2036404 - ET MALWARE Observed TraderTraitor Domain (aideck .net) in TLS
SNI (malware.rules)
2036405 - ET MALWARE Observed TraderTraitor Domain (www .esilet .com) in
TLS SNI (malware.rules)
2036406 - ET MALWARE Observed TraderTraitor Domain (creaideck .com) in
TLS SNI (malware.rules)
2036407 - ET MALWARE Observed TraderTraitor Domain (dafom .dev) in TLS
SNI (malware.rules)
2036408 - ET MALWARE TraderTraitor dafom CnC Checkin M1 (POST)
(malware.rules)
2036409 - ET MALWARE TraderTraitor dafom CnC Checkin M2 (POST)
(malware.rules)
2036410 - ET MALWARE TraderTraitor AlticGO CnC Checkin (POST)
(malware.rules)

Pro:

2851532 - ETPRO MOBILE_MALWARE Observed Android/Spy.Banker.AZQ Domain in
TLS SNI (mobile_malware.rules)
2851533 - ETPRO MOBILE_MALWARE Observed Android/Spy.Banker.AZQ Domain in
TLS SNI (mobile_malware.rules)

[///] Modified active rules: [///]

2036300 - ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1
(hunting.rules)
2036301 - ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2
(hunting.rules)
2036302 - ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3
(hunting.rules)
2811429 - ETPRO MALWARE Downeks CnC Beacon (malware.rules)

[---] Removed rules: [---]

2823676 - ETPRO MALWARE Common RAT Connectivity Check Observed
(malware.rules)
2842895 - ETPRO MALWARE FlowCloud Dependency Download M1 (malware.rules)
2842896 - ETPRO MALWARE FlowCloud Dependency Download M2 (malware.rules)
2842898 - ETPRO MALWARE FlowCloud Dependency Download M4 (malware.rules)
2844910 - ETPRO MALWARE Possible FlowCloud Dependency Download
(malware.rules)

---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team

Date:

Wednesday, April 27, 2022

Summary title:

28 new OPEN, 30 new PRO (28 + 2). TA410, TraderTraitor, Android/Spy.Banker.AZQ, Others.